All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
An XCCDF Rule
Description
Change the mode of interactive users home directories to 0750
. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
Rationale
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
- ID
- xccdf_org.ssgproject.content_rule_file_permissions_home_directories
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- DISA-STIG-RHEL-09-232050
Remediation - Shell Script
for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
# Only update the permissions when necessary. This will avoid changing the inode timestamp when
# the permission is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;